From 5ffeb4af1522ca8091eebf25ae548c199b319070 Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Tue, 30 Jul 2019 14:25:39 -0700 Subject: [PATCH 1/6] Re-introduce image initialization changes Signed-off-by: Matt Oswalt --- api/exp/lessons.go | 9 ++++----- scheduler/pods.go | 10 +++------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/api/exp/lessons.go b/api/exp/lessons.go index 1be3ede6..9e9831d2 100644 --- a/api/exp/lessons.go +++ b/api/exp/lessons.go @@ -208,11 +208,10 @@ func validateLesson(syringeConfig *config.SyringeConfig, lesson *pb.Lesson) erro return fail } - // TODO(mierdin): Enable once the NRE Labs curriculum has been adjusted - // if strings.Contains(ep.Image, ":") { - // log.Error("Tags are not allowed in endpoint image refs") - // return fail - // } + if strings.Contains(ep.Image, ":") { + log.Error("Tags are not allowed in endpoint image refs") + return fail + } if ep.ConfigurationType == "" { continue diff --git a/scheduler/pods.go b/scheduler/pods.go index f09a69f3..415559b6 100644 --- a/scheduler/pods.go +++ b/scheduler/pods.go @@ -79,11 +79,8 @@ func (ls *LessonScheduler) createPod(ep *pb.Endpoint, networks []string, req *Le InitContainers: initContainers, Containers: []corev1.Container{ { - Name: ep.GetName(), - // TODO(mierdin): Switch back the below once the NRE Labs curriculum has been adjusted - // Image: fmt.Sprintf("%s:%s", ep.GetImage(), ls.SyringeConfig.CurriculumVersion), - Image: ep.GetImage(), - // Omitting in order to keep things speedy. For debugging, uncomment this, and the image will be pulled every time. + Name: ep.GetName(), + Image: fmt.Sprintf("%s:%s", ep.GetImage(), ls.SyringeConfig.CurriculumVersion), ImagePullPolicy: "Always", // ImagePullPolicy: "IfNotPresent", @@ -118,8 +115,7 @@ func (ls *LessonScheduler) createPod(ep *pb.Endpoint, networks []string, req *Le // It may also be required by other images we bring on board. privilegedImages := map[string]string{ - // TODO(mierdin): Fix these once the new image is available - // "antidotelabs/container-vqfx": "", + "antidotelabs/container-vqfx": "", "antidotelabs/vqfx:snap1": "", "antidotelabs/vqfx:snap2": "", "antidotelabs/vqfx:snap3": "", From 662e40fb24c79fbd4d8acd236ad859150c1bbf7c Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Fri, 2 Aug 2019 23:17:38 -0700 Subject: [PATCH 2/6] Added ability to configure privileged images from env var Signed-off-by: Matt Oswalt --- config/config.go | 19 ++++++++++++++++++ config/config_test.go | 7 ++++++- scheduler/pods.go | 45 +++++++++++++++---------------------------- 3 files changed, 40 insertions(+), 31 deletions(-) diff --git a/config/config.go b/config/config.go index 069b4bcb..9f3edf17 100644 --- a/config/config.go +++ b/config/config.go @@ -5,6 +5,7 @@ import ( "errors" "os" "strconv" + "strings" log "github.com/sirupsen/logrus" ) @@ -32,6 +33,8 @@ type SyringeConfig struct { CurriculumRepoRemote string CurriculumRepoBranch string + PrivilegedImages []string + AllowEgress bool } @@ -176,6 +179,22 @@ func LoadConfigVars() (*SyringeConfig, error) { config.AllowEgress = true } + // +syringeconfig SYRINGE_PRIVILEGED_IMAGES is a string slice that specifies which images need privileged + // access granted to them. This option will eventually be deprecated in favor of a more secure option, but + // for now, this allows us to at least be selective about what images are granted these privileges - ideally + // only images which only allow user access from within a VM. + // Images should be separated by commas, no spaces. Image tags should NOT be included. + privImages := os.Getenv("SYRINGE_PRIVILEGED_IMAGES") + if privImages == "" { + config.PrivilegedImages = []string{ + "antidotelabs/container-vqfx", + "antidotelabs/vqfx", + "antidotelabs/vqfx-full", + } + } else { + config.PrivilegedImages = strings.Split(privImages, ",") + } + log.Debugf("Syringe config: %s", config.JSON()) return &config, nil diff --git a/config/config_test.go b/config/config_test.go index 2205d55d..90bd1e9e 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -67,7 +67,12 @@ func TestConfigJSON(t *testing.T) { CurriculumVersion: "latest", CurriculumRepoRemote: "https://github.com/nre-learning/nrelabs-curriculum.git", CurriculumRepoBranch: "master", - AllowEgress: false, + PrivilegedImages: []string{ + "antidotelabs/container-vqfx", + "antidotelabs/vqfx", + "antidotelabs/vqfx-full", + }, + AllowEgress: false, } t.Log(syringeConfig.JSON()) diff --git a/scheduler/pods.go b/scheduler/pods.go index 415559b6..c3e16bca 100644 --- a/scheduler/pods.go +++ b/scheduler/pods.go @@ -82,24 +82,13 @@ func (ls *LessonScheduler) createPod(ep *pb.Endpoint, networks []string, req *Le Name: ep.GetName(), Image: fmt.Sprintf("%s:%s", ep.GetImage(), ls.SyringeConfig.CurriculumVersion), ImagePullPolicy: "Always", - - // ImagePullPolicy: "IfNotPresent", - Env: []corev1.EnvVar{ - // Passing in full ref as an env var in case the pod needs to configure a base URL for ingress purposes. {Name: "SYRINGE_FULL_REF", Value: fmt.Sprintf("%s-%s", nsName, ep.GetName())}, }, Ports: []corev1.ContainerPort{}, // Will set below VolumeMounts: volumeMounts, - SecurityContext: &corev1.SecurityContext{ - Capabilities: &corev1.Capabilities{ - Add: []corev1.Capability{ - "NET_ADMIN", - }, - }, - }, }, }, @@ -107,25 +96,21 @@ func (ls *LessonScheduler) createPod(ep *pb.Endpoint, networks []string, req *Le }, } - // TODO(mierdin): Obviously, this isn't ideal. We were previously granting privileged status to - // all containers, so this is technically an improvement, but not much of one. Preferably very soon - // we should come up with a more suitable short-term solution. The correct long-term solution - // might be something like labtainers, or kubevirt. - // Privileged status is currently required by both the lite and full vqfx versions. - // It may also be required by other images we bring on board. - privilegedImages := map[string]string{ - - "antidotelabs/container-vqfx": "", - "antidotelabs/vqfx:snap1": "", - "antidotelabs/vqfx:snap2": "", - "antidotelabs/vqfx:snap3": "", - "antidotelabs/vqfx-full:18.1R1.9": "", - } - if _, ok := privilegedImages[ep.Image]; ok { - b := true - pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ - Privileged: &b, - AllowPrivilegeEscalation: &b, + // TODO(mierdin): See Antidote mini-project 6 (MP6) for details on how we're planning to obviate + // the need for privileged mode entirely. For now, this mechanism allows us to only grant this to + // images that contain a virtualization layer (i.e. network devices). + for i := range ls.SyringeConfig.PrivilegedImages { + if ep.Image == ls.SyringeConfig.PrivilegedImages[i] { + b := true + pod.Spec.Containers[0].SecurityContext = &corev1.SecurityContext{ + Privileged: &b, + AllowPrivilegeEscalation: &b, + Capabilities: &corev1.Capabilities{ + Add: []corev1.Capability{ + "NET_ADMIN", + }, + }, + } } } From a41f3168a68e0c521a503400188c9146f6d81d56 Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Fri, 2 Aug 2019 23:23:48 -0700 Subject: [PATCH 3/6] Update changelog Signed-off-by: Matt Oswalt --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b128bc1..ee86ce67 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ - Limit volume mount to lesson directory [#109](https://github.com/nre-learning/syringe/pull/109) - Add configuration options to influxdb export [#108](https://github.com/nre-learning/syringe/pull/108) - Add config flag to permit egress traffic [#119](https://github.com/nre-learning/syringe/pull/119) -- Support option to specify curriculum version [#120](https://github.com/nre-learning/syringe/pull/120) +- Enhanced granularity for image privileges and versions [#123](https://github.com/nre-learning/syringe/pull/123) ## v0.3.2 - April 19, 2019 From 30e4cb1f9bd37ba5b68fd154adfcaa2a834e92b3 Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Fri, 2 Aug 2019 23:25:11 -0700 Subject: [PATCH 4/6] Add cumulus VX to default privileged image list Signed-off-by: Matt Oswalt --- config/config.go | 1 + 1 file changed, 1 insertion(+) diff --git a/config/config.go b/config/config.go index 9f3edf17..fd8a3e2f 100644 --- a/config/config.go +++ b/config/config.go @@ -190,6 +190,7 @@ func LoadConfigVars() (*SyringeConfig, error) { "antidotelabs/container-vqfx", "antidotelabs/vqfx", "antidotelabs/vqfx-full", + "antidotelabs/cvx", } } else { config.PrivilegedImages = strings.Split(privImages, ",") From e7b3c8d58c66b47867cbb1f8d5be272f16a71afa Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Mon, 5 Aug 2019 17:47:03 -0700 Subject: [PATCH 5/6] Change default images list to include updated vqfx snapshots Signed-off-by: Matt Oswalt --- config/config.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index fd8a3e2f..8b3cdeba 100644 --- a/config/config.go +++ b/config/config.go @@ -188,7 +188,9 @@ func LoadConfigVars() (*SyringeConfig, error) { if privImages == "" { config.PrivilegedImages = []string{ "antidotelabs/container-vqfx", - "antidotelabs/vqfx", + "antidotelabs/vqfx-snap1", + "antidotelabs/vqfx-snap2", + "antidotelabs/vqfx-snap3", "antidotelabs/vqfx-full", "antidotelabs/cvx", } From 4026fd29ef9a5ea03358fb65b8484e94378a459a Mon Sep 17 00:00:00 2001 From: Matt Oswalt Date: Mon, 5 Aug 2019 17:52:06 -0700 Subject: [PATCH 6/6] update config test Signed-off-by: Matt Oswalt --- config/config_test.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/config_test.go b/config/config_test.go index 90bd1e9e..9d364f65 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -69,8 +69,11 @@ func TestConfigJSON(t *testing.T) { CurriculumRepoBranch: "master", PrivilegedImages: []string{ "antidotelabs/container-vqfx", - "antidotelabs/vqfx", + "antidotelabs/vqfx-snap1", + "antidotelabs/vqfx-snap2", + "antidotelabs/vqfx-snap3", "antidotelabs/vqfx-full", + "antidotelabs/cvx", }, AllowEgress: false, }